Configure Linux to Authenticate to eDirectory via LDAP

Novell Cool Solutions: Feature

This document describes the steps necessary to configure system authentication of a Linux host to Novell eDirectory over LDAP. The scope of this document includes the configuration of the Linux host (LDAP client), and (LDAP Server) Novell eDirectory. This configuration provides authentication redirection via LDAP to Novell eDirectory.

Many Linux systems use an authentication architecture named Pluggable Authentication Modules (PAM). This architecture provides a flexible authentication model for system and PAM aware applications. Many Linux systems ship with the PAM modules that allow the system to authenticate to a LDAP server such as Novell eDirectory. These modules are provided by PADL Software Pty Ltd.

There are two services that need to be configured for LDAP authentication to work correctly. First, the system naming service needs to be configured to use LDAP to resolve resources such as user and group accounts. For example, if a directory is given the ownership to user 510 then the naming service needs to resolve uid 510 to a user name. Generally this is done by finding all user accounts in the /etc/passwd file. Since users will now be stored in eDirectory the system will need to be configured to resolve accounts in both the passwd file and in eDirectory. This functionality is provided by the
/usr/lib/libnss_ldap.so library. The configuration outlined in this document will configure PAM to check the local /etc/passwd file for a user account such as root, and then check the LDAP server.

Authentication services is the service that actually authenticates users to LDAP. As mentioned before, the PAM LDAP modules will be used to redirect authentication to Novell eDirectory. The /lib/security/pam_ldap.so PAM module provides LDAP authentication.

The tested configuration for the LDAP server was Novell eDirectory 8.7 running on Redhat 8.0 Linux. The tested Linux hosts used for LDAP authentication were Redhat 7.2 and Redhat 8.0.

Configuring Novell eDirectory for Linux System Authentication

The schema defined for Linux account authentication is defined in RFC2307 (http://www.faqs.org/rfcs/rfc2307.html).

Novell offers schema import files in traditional eDirectory schema format and Lightweight Data Interchange Format (LDIF) that can be used to extend the Novell eDirectory schema. The following steps can used to extend the schema in your environment:

Login to the Linux host running Novell eDirectory as the root user.

Change to /usr/lib/nds-schema by typing: cd /usr/lib/nds-schema

The "/usr/lib/nds-schema/rfc2307-usergroup.ldif" file contains the schema required for UNIX and Linux system authentication. Type the following to extend the schema: ndssch -h localhost -t YOUR_TREE ADMIN.FDN rfc2307-usergroup.sch

Supply the password for the administrative account provided.

Create a Proxy User for Anonymous Binds

Create a new user account and set the password to null. Do not click cancel when prompted, but click OK so that Public/Private keys are generated.

Open the properties of the account and under Password Restrictions uncheck the box that says "Allow user to change password".

On the tree root object right-click on the object and select "Trustees of this Object" and give the proxy user Browse entry rights, and read and compare property rights on the following attributes:

Open the properties of the LDAP group object of your server and from the general page select this new user as the proxy user.

Open the properties .of the LDAP sever object and click "Refresh LDAP server" from the general page.

Configuring Novell eDirectory Accounts for Linux Authentication

This section shows how to added the posixAccount auxiliary class to a user account and set the required fields.

1. Highlight a User account and right-click on it.

2. Select "Extensions of this Object...".

3. Click "Add Extension..." .

4. Select "posixAccount" from the list and click OK.

5. Press OK on the dialog "Generic Editing..." message to continue.

6. Fill in the fields listed in the next dialog named "New posixAccount":

Field

Purpose

Example

Name:

The name of this extension

posixAccount

homeDirectory:

The user home directory

/home/ncurtis

uniqueID:

The unique ID of the user

ncurtis

Common Name:

Shown in Other name in ConsoleOne

Nathan Curtis

gidNumber:

The GID in Linux

515

uidNumber:

The UID in Linux

515

Other attributes required, and that can be added under the "Other" tab of the Object:

Field

Purpose

Example

loginShell

Sets the user's shell

/bin/bash

The loginShell attribute is required by SUSE Linux for proper X login.

7. Click OK to save the changes.

Configuring a Redhat Linux Host (LDAP client)

The following steps show the easiest way to configure a Redhat Linux host for LDAP redirection authentication.

Login as root.

From a terminal type: authconfig

On the "User Information Configuration" screen select "Use LDAP"

Select "Use TLS".

Add the LDAP server in the server field and the search base of where users are located. For example:

Server: ldap.novell.com
Base DN: ou=users, dc=novell,dc=com

Select Next.

The information entered in the step above will be brought over for this screen. Tab through this screen and select OK.

Restart the Linux system or completely kill X if testing graphical logins. A CTL+DEL+BACKSPACE will not work. Terminal logins should work without rebooting.

Configuring a SUSE Linux Host (LDAP client)

Start the YaST2 Control Center: /sbin/yast2 'menu'

Select the "Network/Advanced" section and then "LDAP client".

Select "Use LDAP".

Add the LDAP server in the server field and the search base of where users are located. For example:

Base DN: ou=users, dc=novell,dc=com

Addresses of LDAP Servers: ldap.novell.com

Select LDAP TLS/SSL.

Save your changes by clicking Finish.

Dynamically Creating User Home Directories

If user home directories are going to be created locally then PAM will need to dynamically create a user home directory. You will just get an error in a text based login, and will not be allowed to login using an X session.
The following configures PAM to create user home directories if they do not exist during the login process. For additional information see TID 10067700 "How to create homedirectories on Unix automatically".

SUSE Linux 8.1

1.Open the /etc/pam.d/login file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

2.Open the /etc/pam.d/xdm file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

When you want SSL to be enabled, you need to configure the ldap.conf file. There has to be an entry "ssl on" and "sslpath /path/cert7.db"

Redhat Linux 7.2 " 8.0

1.Open the /etc/pam.d/system-auth file and add the following line above the first session line:
session required /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022

Note: You need to add the certificate to the cert7.db. TID# 10090049 gives a step-by-step guide how to insert your certificate into the cert7.db

Comments and Suggestions

Anonymous

This is virtually useless without a way to put the user's home directory on a NetWare server. I suppose it might be morbidly amusing to know that users leave their files stranded on whichever station they last used, but we generally try to be *nice* to our users.